free antivirus scanner ?

classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

free antivirus scanner ?

Frank Bonnet
Hello

I'm searching for a friend (who has very few money) an open source
antivirus scanner for email server that works with Postfix.

Any infos/links/advices  welcome

Thanks and happy new year.

Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Mason Loring Bliss
On Tue, Jan 03, 2012 at 04:26:57PM +0100, Frank Bonnet wrote:

> I'm searching for a friend (who has very few money) an open source
> antivirus scanner for email server that works with Postfix.

You probably want this:

    http://www.clamav.net/lang/en/

--
Mason Loring Bliss             [hidden email]            Ewige Blumenkraft!
(if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene I
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Duken Marga
You can also try amavis  http://www.amavis.org/ and comine it with clamav.

On Tue, Jan 3, 2012 at 10:31 PM, Mason Loring Bliss <[hidden email]> wrote:
On Tue, Jan 03, 2012 at 04:26:57PM +0100, Frank Bonnet wrote:

> I'm searching for a friend (who has very few money) an open source
> antivirus scanner for email server that works with Postfix.

You probably want this:

   http://www.clamav.net/lang/en/

--
Mason Loring Bliss             [hidden email]            Ewige Blumenkraft!
(if awake 'sleep (aref #(sleep dream) (random 2))) -- Hamlet, Act III, Scene I



--
Duken Marga


Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

/dev/rob0
In reply to this post by Frank Bonnet
On Tuesday 03 January 2012 09:26:57 Frank Bonnet wrote:
> I'm searching for a friend (who has very few money) an open source
> antivirus scanner for email server that works with Postfix.
>
> Any infos/links/advices  welcome

One link, Google, would have easily found clamav.

Info/advice: with postscreen(8), sane HELO restrictions, and good
DNSBLs, clamav is not going to get much use.

http://www.postfix.org/POSTSCREEN_README.html <-- Postfix 2.8 req'd
http://readlist.com/lists/postfix.org/postfix-users/28/140973.html
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.spamhaus.org/zen/ <-- worth the cost if not gratis for you
http://www.spamhaus.org/whitepapers/effective_filtering.html
http://barracudacentral.org/rbl <-- gratis but registration req'd
http://www.hardwarefreak.com/fqrdns.pcre <-- Stan's big list
http://spammers.dontlike.us/ <-- anti-spam discussion list

Spam fighting is a huge field, and content filtering such as clamav
certainly is not the best place to start. After the above, content
filtering with Amavisd-new ( http://www.amavis.org/ ) is the next
step. Continue on to clamav if you think it will be worth your time;
my guess is that it would not be.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Charles Marcus
On 2012-01-03 12:09 PM, /dev/rob0 <[hidden email]> wrote:
> Info/advice: with postscreen(8), sane HELO restrictions, and good
> DNSBLs, clamav is not going to get much use.

Clamav, with the sane-security sigs, most certainly does block a lot of
phising scams that would not otherwise be blocked.

And most of postfixes built-in anti-spam techniques will NOT block an
infected email from a friends computer, and clamav likely will.

ASSP is by far the best anti-spam content filter, but it isn't designed
to be used with amavisd-new... I'd love to see it modified so that it
could be an after-queue content filter called from amavisd-new, because
its block reporting capabilities are insanely great, and it is very easy
for a user to request an up-to-the-minute snapshot of their spam
quarantine using a pre-built email template.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Stan Hoeppner
In reply to this post by /dev/rob0
On 1/3/2012 11:09 AM, /dev/rob0 wrote:

> On Tuesday 03 January 2012 09:26:57 Frank Bonnet wrote:
>> I'm searching for a friend (who has very few money) an open source
>> antivirus scanner for email server that works with Postfix.
>>
>> Any infos/links/advices  welcome
>
> One link, Google, would have easily found clamav.
>
> Info/advice: with postscreen(8), sane HELO restrictions, and good
> DNSBLs, clamav is not going to get much use.
>
> http://www.postfix.org/POSTSCREEN_README.html <-- Postfix 2.8 req'd
> http://readlist.com/lists/postfix.org/postfix-users/28/140973.html
> http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
> http://www.spamhaus.org/zen/ <-- worth the cost if not gratis for you
> http://www.spamhaus.org/whitepapers/effective_filtering.html
> http://barracudacentral.org/rbl <-- gratis but registration req'd
> http://www.hardwarefreak.com/fqrdns.pcre <-- Stan's big list
> http://spammers.dontlike.us/ <-- anti-spam discussion list
>
> Spam fighting is a huge field, and content filtering such as clamav
> certainly is not the best place to start. After the above, content
> filtering with Amavisd-new ( http://www.amavis.org/ ) is the next
> step. Continue on to clamav if you think it will be worth your time;
> my guess is that it would not be.

To add to this sentiment, haven't most/all the viri/malware pushers
switched from an email delivery vector to drive-by downloads?  I can't
recall the last time I saw a viral email attachment.  I see and hear of
drive-by attempts quite frequently.  I see and hear of hyperlinks to
malware inside spam.  ClamAV won't help here.  But the methods mentioned
above will.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

/dev/rob0
In reply to this post by Charles Marcus
On Tuesday 03 January 2012 11:28:09 Charles Marcus wrote:
> On 2012-01-03 12:09 PM, /dev/rob0 <[hidden email]> wrote:
> > Info/advice: with postscreen(8), sane HELO restrictions, and good
> > DNSBLs, clamav is not going to get much use.
>
> Clamav, with the sane-security sigs, most certainly does block a
> lot of phising scams that would not otherwise be blocked.

I admit, it has been some time since I used/evaluated clamav, but at
that time, all it did catch at two small business sites over 3-4
months was less than one phish per month. And I never saw an actual
virus mail.

Also, my clamav was pretty much just the default settings.

> And most of postfixes built-in anti-spam techniques will NOT block
> an infected email from a friends computer, and clamav likely will.

I suppose you mean that the virus sent mail through an ISP relay, in
which case of course you are right. I haven't gotten these. Perhaps a
different type of friends, or just as likely, I have no friends. ;)

Still, URIBL filtering with amavisd-new/SA should catch these, or so
it would seem.

> ASSP is by far the best anti-spam content filter, but it isn't
> designed to be used with amavisd-new... I'd love to see it
> modified so that it could be an after-queue content filter called
> from amavisd-new, because its block reporting capabilities are
> insanely great, and it is very easy for a user to request an
> up-to-the-minute snapshot of their spam quarantine using a
> pre-built email template.
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Reindl Harald-2
In reply to this post by Stan Hoeppner


Am 03.01.2012 18:30, schrieb Stan Hoeppner:

> To add to this sentiment, haven't most/all the viri/malware pushers
> switched from an email delivery vector to drive-by downloads?  I can't
> recall the last time I saw a viral email attachment.

our barracuda saw 2929 in the last year

compared with 14 Mio blocked spam-mails not much but one
that hits you may be enough for a hughe damage


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Ralf Hildebrandt
In reply to this post by /dev/rob0
* /dev/rob0 <[hidden email]>:

> On Tuesday 03 January 2012 09:26:57 Frank Bonnet wrote:
> > I'm searching for a friend (who has very few money) an open source
> > antivirus scanner for email server that works with Postfix.
> >
> > Any infos/links/advices  welcome
>
> One link, Google, would have easily found clamav.
>
> Info/advice: with postscreen(8), sane HELO restrictions, and good
> DNSBLs, clamav is not going to get much use.

Also blocking "unwanted" attachments and double extensions (with
mime_header_checks or amavis) leaves only little stuff for clamav to
eat.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Charles Marcus
On 2012-01-03 1:18 PM, Ralf Hildebrandt <[hidden email]> wrote:
> Also blocking "unwanted" attachments and double extensions (with
> mime_header_checks or amavis) leaves only little stuff for clamav to
> eat.

Care to share your header_checks for blocking 'double extensions' (if
you're doing it with header checks)?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Reindl Harald-2


Am 03.01.2012 19:42, schrieb Charles Marcus:
> On 2012-01-03 1:18 PM, Ralf Hildebrandt <[hidden email]> wrote:
>> Also blocking "unwanted" attachments and double extensions (with
>> mime_header_checks or amavis) leaves only little stuff for clamav to
>> eat.
>
> Care to share your header_checks for blocking 'double extensions' (if you're doing it with header checks)?

especially for tar.gz, tar.bz2. tar.xz..............


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Ralf Hildebrandt
In reply to this post by Charles Marcus
* Charles Marcus <[hidden email]>:
> On 2012-01-03 1:18 PM, Ralf Hildebrandt <[hidden email]> wrote:
> >Also blocking "unwanted" attachments and double extensions (with
> >mime_header_checks or amavis) leaves only little stuff for clamav to
> >eat.
>
> Care to share your header_checks for blocking 'double extensions' (if
> you're doing it with header checks)?

I used to do it that way (mime_header_checks):
http://listi.jpberlin.de/pipermail/postfixbuch-users/2011-June/056636.html

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Ralf Hildebrandt
* Ralf Hildebrandt <[hidden email]>:

> * Charles Marcus <[hidden email]>:
> > On 2012-01-03 1:18 PM, Ralf Hildebrandt <[hidden email]> wrote:
> > >Also blocking "unwanted" attachments and double extensions (with
> > >mime_header_checks or amavis) leaves only little stuff for clamav to
> > >eat.
> >
> > Care to share your header_checks for blocking 'double extensions' (if
> > you're doing it with header checks)?
>
> I used to do it that way (mime_header_checks):
> http://listi.jpberlin.de/pipermail/postfixbuch-users/2011-June/056636.html

Well, that doesn't include the double extensions.

Something along those lines should work:
/name=\"(.*)\.([a-z]{3})\.([a-z]{3})\"$/ REJECT Double extension $2 and $3

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Stan Hoeppner
In reply to this post by Reindl Harald-2
On 1/3/2012 12:00 PM, Reindl Harald wrote:
>
>
> Am 03.01.2012 18:30, schrieb Stan Hoeppner:
>
>> To add to this sentiment, haven't most/all the viri/malware pushers
>> switched from an email delivery vector to drive-by downloads?  I can't
>> recall the last time I saw a viral email attachment.
>
> our barracuda saw 2929 in the last year

Out of how many total messages?  How many of the 2929 were FPs on some
other type of legit binary attachment?

> compared with 14 Mio blocked spam-mails not much but one

"Mio"?

> that hits you may be enough for a hughe damage

Assuming desktops aren't sufficiently locked down, yes, could be huge.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Reindl Harald-2


Am 03.01.2012 21:21, schrieb Stan Hoeppner:

> On 1/3/2012 12:00 PM, Reindl Harald wrote:
>>
>>
>> Am 03.01.2012 18:30, schrieb Stan Hoeppner:
>>
>>> To add to this sentiment, haven't most/all the viri/malware pushers
>>> switched from an email delivery vector to drive-by downloads?  I can't
>>> recall the last time I saw a viral email attachment.
>>
>> our barracuda saw 2929 in the last year
>
> Out of how many total messages?  
around 15 millions
15.000.000

> How many of the 2929 were FPs on some
> other type of legit binary attachment?

not a single one

>> compared with 14 Mio blocked spam-mails not much but one
>
> "Mio"?

million

1.000.1000
thousand multiplied with thousand

in america i guess 14 billions it would be called :-)

>> that hits you may be enough for a hughe damage
>
> Assuming desktops aren't sufficiently locked down, yes, could be huge.

that is the main problem in security

only one intrusion maybe the same damage as a totally unsecured system



signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Frank Bonnet
In reply to this post by Frank Bonnet
OK thanks to you guys, I have enough information


Le 03/01/2012 16:26, Frank Bonnet a écrit :
> Hello
>
> I'm searching for a friend (who has very few money) an open source
> antivirus scanner for email server that works with Postfix.
>
> Any infos/links/advices welcome
>
> Thanks and happy new year.
>
Reply | Threaded
Open this post in threaded view
|

RE: free antivirus scanner ?

Gary Smith-20
In reply to this post by Reindl Harald-2
> Am 03.01.2012 18:30, schrieb Stan Hoeppner:
>
> > To add to this sentiment, haven't most/all the viri/malware pushers
> > switched from an email delivery vector to drive-by downloads?  I can't
> > recall the last time I saw a viral email attachment.
>
> our barracuda saw 2929 in the last year
>
> compared with 14 Mio blocked spam-mails not much but one that hits you may
> be enough for a hughe damage


Reindl,

Yeah, looking at what you had wrote made me think that maybe I should go back and check my logs.  It's been a while.  I have some scripts in place that scan the logs daily looking for trends but I haven't looked at them in a while (since the volume never hit my threshold of 50/day in over a year).  Anyway, got 2 this year with a couple hundred or so remaining email accounts.

Jan  3 21:30:00 hsfremti01 clamsmtpd: 112A51: from=[hidden email], to=bill@*.com, status=VIRUS:Email.Phishing.Pay-44
Jan  4 06:41:19 hsfremti01 clamsmtpd: 112C08: from=[hidden email], to=sue@*.com, status=VIRUS:Email.Trojan-290

I use spamassassin (2002), clamav (2004), and sqlgrey (2006).  The spam filtering seems to drop the % of email to a ridiculously low level so what's left was always real simple to scan.

Anyway, thought I'd give you my feedback on what you're seeing for spam/viruses as well.

Reply | Threaded
Open this post in threaded view
|

Fwd: free antivirus scanner ?

francis picabia
On Wed, Jan 4, 2012 at 12:36 PM, Gary Smith <[hidden email]> wrote:

>> Am 03.01.2012 18:30, schrieb Stan Hoeppner:
>>
>> > To add to this sentiment, haven't most/all the viri/malware pushers
>> > switched from an email delivery vector to drive-by downloads?  I can't
>> > recall the last time I saw a viral email attachment.
>>
>> our barracuda saw 2929 in the last year
>>
>> compared with 14 Mio blocked spam-mails not much but one that hits you may
>> be enough for a hughe damage
>
>
> Reindl,
>
> Yeah, looking at what you had wrote made me think that maybe I should go back and check my logs.  It's been a while.  I have some scripts in place that scan the logs daily looking for trends but I haven't looked at them in a while (since the volume never hit my threshold of 50/day in over a year).  Anyway, got 2 this year with a couple hundred or so remaining email accounts.
>
> Jan  3 21:30:00 hsfremti01 clamsmtpd: 112A51: from=[hidden email], to=bill@*.com, status=VIRUS:Email.Phishing.Pay-44
> Jan  4 06:41:19 hsfremti01 clamsmtpd: 112C08: from=[hidden email], to=sue@*.com, status=VIRUS:Email.Trojan-290
>
> I use spamassassin (2002), clamav (2004), and sqlgrey (2006).  The spam filtering seems to drop the % of email to a ridiculously low level so what's left was always real simple to scan.
>
> Anyway, thought I'd give you my feedback on what you're seeing for spam/viruses as well.
>

We have about 5000 users.  In use: postfix 2.8 with postscreen, sqlgrey,
nolisting, amavisd-new, and clamav.  RBLs: mail-abuse.com (costs money),
zen.spamhaus.org (the last check, to keep their volume down)

Here are some stats so far from today, which is about 1/3 of the 24 hour totals:

Jan 4
Connect: 11661
Delivered: 8094
Reject total:   18525
Reject spamhaus:   172
Reject MAPS RBL+:   12453
Reject Reverse DNS:   1060
Reject address or overquota:   2293
Early Hangup:   6296
Pregreeted:   4239
Greylisted:   1361
Tagged:   1086
Quarantined:   870
Infected: 12

On some days there are hundreds of malware delivery attempts, but this
can include phishing attachments.
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Benny Pedersen
In reply to this post by Frank Bonnet
On Tue, 03 Jan 2012 16:26:57 +0100, Frank Bonnet wrote:

> I'm searching for a friend (who has very few money) an open source
> antivirus scanner for email server that works with Postfix.

ClamAV hooks nicely into postfix with clammilter and smtp via clamsmtp
Reply | Threaded
Open this post in threaded view
|

Re: free antivirus scanner ?

Miles Fidelman
Benny Pedersen wrote:
> On Tue, 03 Jan 2012 16:26:57 +0100, Frank Bonnet wrote:
>
>> I'm searching for a friend (who has very few money) an open source
>> antivirus scanner for email server that works with Postfix.
>
> ClamAV hooks nicely into postfix with clammilter and smtp via clamsmtp

also wires in nicely via spamassassin


--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra


123